Make WordPress Core

Opened 10 years ago

Last modified 7 years ago

#26474 new enhancement

Add Filter to Username/Password Fields on Login Form?

Reported by: cgrymala's profile cgrymala Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.8
Component: Login and Registration Keywords: dev-feedback needs-patch
Focuses: Cc:

Description

As a state institution, we are required to remain PCI-compliant. One of the areas we've been dinged in scans in the past, albeit an area that they consider "low risk", is the fact that the username and password fields allow autocomplete.

I understand that it's probably not preferable for everyone using WordPress to have autocomplete turned off on those fields, but it would be nice if it was simple to at least filter those fields to turn it off (or, at the very least, add that as one of the "args" that are used when the form is built).

This should obviously be used both in wp-login.php and in the wp_login_form function within wp-includes/general-template.php

I'm happy to work up a patch for this if this is something that might be supported. Thanks.

Attachments (1)

wp-login.diff (3.6 KB) - added by davidjlaietta 7 years ago.

Download all attachments as: .zip

Change History (8)

#1 @TobiasBg
10 years ago

#26579 was marked as a duplicate.

#2 @kitchin
10 years ago

  • Cc kitchin@… added

#3 @stewarty
10 years ago

Ideally, would be great to add other parameters as well. I just had to add placeholder="" to both fields.

A work around is to return the string rather than echo the form where your using it and then str_replace the HTML as needed.

Stewart

#4 in reply to: ↑ description @jphase
10 years ago

  • Component changed from General to Login and Registration
  • Keywords dev-feedback 2nd-opinion added

Replying to cgrymala:

As a state institution, we are required to remain PCI-compliant. One of the areas we've been dinged in scans in the past, albeit an area that they consider "low risk", is the fact that the username and password fields allow autocomplete.

I understand that it's probably not preferable for everyone using WordPress to have autocomplete turned off on those fields, but it would be nice if it was simple to at least filter those fields to turn it off (or, at the very least, add that as one of the "args" that are used when the form is built).

This should obviously be used both in wp-login.php and in the wp_login_form function within wp-includes/general-template.php

I'm happy to work up a patch for this if this is something that might be supported. Thanks.

It would be great to have an additional filter for the login form as well so we wouldn't have to use output buffers and regex to make customizations. I'd be happy to help with this if needed as well.

#5 @chriscct7
8 years ago

  • Keywords needs-patch added; 2nd-opinion removed

#6 @davidjlaietta
7 years ago

Attached a diff that creates a function to handle password attributes.

The function applies some defaults, merges in whatever values would be default to a specific password field, and allows a filter to add new attributes.

add_filter( 'wp_password_input_attributes', 'wporg_add_attributes' );
function wporg_add_attributes( $defaults ) {
    $attributes = array(
        'new_attribute' => 'new_attribute_val',\
        );

    $attributes = array_merge( $defaults, $attributes );

    return $attributes;
}

The above is an example usage of the filter to add a new attribute and value new_attribute="new_attribute_val"

#7 @davidjlaietta
7 years ago

My patch only changes the three instances of password inputs in wp-login.php. There are other instances of password inputs in the following files to be changed if approved:

/wp-admin/includes/file.php
/wp-admin/install.php
/wp-admin/user-edit.php
/wp-admin/user-new.php
/wp-includes/general-template.php
/wp-includes/post-template.php

Note: See TracTickets for help on using tickets.